Legal News

Mousse v Commission Nationale De L’ Informatique Et Des Libertés , Case C-394/23 What are the practical implications of this case? The Court of Justice’s ruling has major consequences for any company, particularly online platforms, operating in the European Union that routinely ask customers to provide titles when opening accounts or purchasing goods and services. Controllers must review their collection practices to ensure strict conformity with the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDPR), including data minimisation and the presence of an appropriate legal basis. Gathering personal information, such as titles or gender identifiers, that is not necessary for performance of a contract or does not pursue a legitimate interest that prevails over the individual’s rights and freedoms (or relies on another lawful ground), is unlawful. For processing intended to personalise commercial...

The Opinion arose from a referral by the Irish Data Protection Commission ( DPC) under Article 64(2) of the EU General Data Protection Regulation, Regulation ( EU) 2016/679 (the EU GDPR). Article 62(4) allows any EU data protection authority ( DPA) to put questions to the EDPB that are of general relevance or have implications across more than one EU Member State, with the aim of enhancing harmonisation and clarity on such matters. Over the past twelve months in particular, DPAs have been wrestling with AI, and the DPC—acting as lead DPA for many of the world’s largest technology companies—has frequently led on the most urgent issues. While EDPB Opinions, akin to guidelines, do not have binding legal force, they will strongly shape how DPAs proceed; accordingly, we should expect the Opinion’s principles to appear in national guidance and...

What is the CNI regime? Critical National Infrastructure ( CNI) encompasses the physical and digital assets, sites, and networks that keep a nation running, underpinning the health, safety, security, and economic prosperity of its people. In the UK, the basis for CNI rests on a mix of long-standing government programmes, statutory duties, and policy directives intended to protect pivotal industries. Together, they support the functioning of the country and the well-being of its population. Collectively, these elements are indispensable to national operations and the welfare of citizens. The regime arose from the imperative to shield vital services and infrastructure central to national security, economic resilience, and public protection—a subject under review by many states from the mid-twentieth century. That imperative sharpened towards the close of the twentieth century as threats from terrorism, espionage, and cyberattacks...

In this issue: Data protection Reputation management Daily and weekly news alerts New and updated content Data protection China’s Deep Seek AI model raises new challenges for EU and UK data regulators. This generative tool, developed in China, saw rapid global uptake in the week beginning 27 January 2025, particularly following its launch as a mobile app, triggering caution from European privacy regulators. See News Analysis: China’s Deep Seek AI model poses fresh concerns for EU and UK data regulators. Data Protection ( Charges and Information) ( Amendment) Regulations 2025 SI 2025/63: Amendments to the Data Protection ( Charges and Information) Regulations 2018, SI 2018/480, increase the annual fees payable to the Information Commissioner by 29.8% across all tiers. These Regulations come into force on 17 February 2025. See: LNB News 28/01/2025 11. ICO issues guidance on ‘ Consent or Pay’ models for online...

‘ We will produce a single set of rules…for those developing or using AI products to make it easier for them to innovate and invest responsibly while safeguarding people's information rights’ He noted, reading from his letter. He argued that a statutory AI code of practice would offer greater regulatory certainty to companies seeking to invest in AI. He also cited an estimate that AI could contribute £47bn to the UK economy each year. In late December 2024, Prime Minister Keir Starmer wrote to a host of regulators requesting a set of five pro-growth proposals, and the Information Commissioner's Office ( ICO) replied with seven in total......

EDPB report on DPA activity between 2018 and 2023 Strict GDPR enforcement only on paper When the General Data Protection Regulation ( GDPR) took effect in 2018, it signalled a new chapter for EU privacy protection — at least in theory. Individuals were armed with means to defend their fundamental rights, while regulators gained robust investigatory tools and the power to punish infringements with substantial penalties. Nearly seven years on, the picture is far gloomier. Marking Data Protection Day on 28 January 2025, noyb reviewed the latest EDPB figures on the (in)activity of national data protection authorities ( DPAs). The numbers reveal that, on average, only 1.3% of complaints handled by DPAs culminate in a fine. Yet data protection professionals consistently note that penalties are the most effective lever for driving companies to follow the law. Back in May 2018, the GDPR promised a decisive move...

The developer’s privacy notice states that all user information is transmitted to China, where it is retained indefinitely, and it makes no reference to European data protection law or any lawful basis for processing personal data. Although the model’s apparently strong performance on a modest training budget has depressed the share prices of US technology companies, consumer organisations in Europe have begun contacting Italy’s Data Protection Authority ( DPA), noted for proactively challenging Open AI two years ago over comparable issues linked to the launch of Chat GPT. The user terms for the Deep Seek generative AI application, jointly controlled by two Chinese companies, present multiple concerns for authorities responsible for enforcing the EU’s General Data Protection Regulation, Regulation ( EU) 2016/679 ( EU GDOR). All personal data is stored on servers located in China. Transfers will be “in...

The EU’s General Court ruled today that the EDPB has the authority to order Ireland’s data regulator to launch new investigations into Meta Platforms (see here) The General Court confirmed that the EDPB may instruct national supervisory authorities, including a lead supervisory authority, to widen their analysis, carry out supplementary investigations and adopt fresh decisions, holding that this competence is consistent with EU law. The court emphasised that the EDPB’s use of this power remains open to judicial review. In this matter, however, the applicant confined its challenge to asserting that the EDPB lacked competence, rather than contesting how the power was exercised. The judgment follows a bid by Ireland’s DPC to resist the EDPB’s direction to pursue additional inquiries into Meta, arguing the Board had overstepped its remit. The dispute dates back to 2018 and arose from complaints submitted by...

Bates v Rubython and Business F1 Magazine [2024] EWHC 2706 ( KB) What are the practical implications of the case? The court first addressed applications to excise passages from the first defendant’s witness statement and from the defence, on the footing that they strayed beyond matters relevant to the pleaded positions on pre‑existing poor reputation and serious harm. The bid to strike out those passages succeeded. The application also prompted analysis of Burstein particulars—background matters directly tied to the defamatory sting which, if proved, may mitigate damages. The ruling underscores that such particulars must be tightly focused, directly relevant, and within the publishees’ knowledge to be relied upon. In addition, a defendant who does not plead truth cannot, save under the Burstein rule, adduce evidence tending to the truth of the libel. On serious harm and alleged bad reputation, the judge considered a...

Maximilian Schrems v Meta Platforms Ireland Ltd , Case C-446/21 What are the practical implications of this case? The ruling in Schrems v Meta Platforms Ireland arrives 14 months after the Court of Justice, in Meta vs Bundeskartellamt ( Case C‑252/21), concluded that merely accessing a site or app does not, in itself, make a user’s personal data manifestly public—thereby eliminating reliance by a social network on Article 9(1)(e) of Regulation ( EU) 2016/679, the General Data Protection Regulation ( EU GDPR). Schrems v Meta Platforms Ireland narrows the scope for processing special category data on social platforms and offers significant clarification on handling data that has been manifestly made public (and where explicit consent is invoked). Notably, it emphasises the nexus between a person issuing a public statement—which can render particular information manifestly public—and a platform’s deployment of pixels and cookies to track online...

In this issue: Data protection e Privacy Cybersecurity Reputation management Daily and weekly news alerts New and updated content Data protection DSIT publishes response to data protection fee regime consultation The Department for Science, Innovation and Technology ( DSIT) has released its response to the consultation on proposed revisions to the data protection fee regime. The consultation, which closed on 3 October 2024, asked for views on a 37.2% uplift in fees payable by data controllers to the Information Commissioner’s Office ( ICO) across all tiers. DSIT’s reply sets out stakeholder commentary on the increase, and reviews the continued suitability of other parts of the regime, including the criteria for fee assessment, discounts for paying by direct debit, and the current exemptions from payment requirements. See: LNB News 16/01/2025 52. EDPB issues guidance on data protection and competition law interplay The European Data Protection Board ( EDPB) has adopted a position paper exploring the...

The King’s youngest son has settled his claim against News Group Newspapers Ltd., the company behind The Sun and the now-defunct News of the World, which closed in 2011, just a day before a High Court trial over alleged privacy breaches by unlawful means was set to commence. Labour peer Tom Watson, who had also been suing the publisher, alleging he was targeted while a junior minister, likewise reached a settlement in his own case. In a statement delivered in court by Prince Harry’s counsel, David Sherborne of 5RB, News Group extended to the royal a ‘full and unequivocal apology’ for the serious intrusions into his private life, ‘including instances of unlawful activity carried out by private investigators acting for The Sun’. The publisher has agreed to pay ‘substantial damages’, Sherborne confirmed. News Group further apologised for the...

In this issue: Data protection Public sector information Daily and weekly news alerts New and updated content Latest Q& A Data protection Clarification for future penalty appeals as Court of Appeal dismisses appellant’s third attempt to avoid ICO fine for UK GDPR breaches ( Doorstep Dispensaree Ltd v Information Commissioner) Through its decision in Doorstep Dispensaree Ltd v Information Commissioner [2024] EWCA Civ 1515, the Court of Appeal brought a prolonged series of appeals to an end, centred on a penalty levied by the Information Commissioner’s Office ( ICO) on a pharmacy company in 2019 for data protection infringements—the first fine of its type in the UK at that point......

Doorstep Dispensaree Ltd v Information Commissioner [2024] EWCA Civ 1515 What are the practical implications of this case? This ruling reinforces under the UK GDPR that controllers bear ultimate accountability for compliant personal data processing; engaging subcontractors does not shift or dilute those duties. It further shows that the mandate for penalties to be “effective, proportionate and dissuasive” in Article 83(1) requires a case-by-case balancing of the Article 83(2) factors. In the FTT appeal, the tribunal underscored aggravating circumstances, including the particular vulnerability of the data subjects and the seriousness of DDL’s infringements of the UK GDPR. Although DDL’s financial difficulties were recognised as a mitigating consideration, they did not justify removing the fine altogether. Five years after the penalty was imposed, the enforcement landscape has altered markedly, with a new Commissioner in post and updated ICO guidance on data protection penalties. Over the past couple of...

On 8 January 2025, EU judges ruled that the Commission must pay compensation to a user of one of its websites after personal data was sent to the US without the necessary safeguards in place. German consumer Thomas Bindl argued that his personal details, including his IP address, were unlawfully transferred to the US after he registered for an event on its website using a service that lets users log in via Facebook. In 2022, he brought legal action against the EU’s executive arm for employing the US cloud service, Amazon Cloud Front, to move personal data from its websites to the US, in breach of a 2020 judgment designed to prevent US surveillance authorities from accessing EU citizens’ data. He said the Commission’s website on the Conference on the Future of the EU, and a separate website for a ' Go Green' event,...

Legislation— UK New regulations protecting consumers from cyber attacks come into force From 29 April 2024, rules safeguarding consumers from hacking and cyber attacks took effect. They require makers of internet-connected smart devices to comply with baseline security measures and outlaw easily guessed default passwords, in order to discourage cyber criminals. By doing so, the measures aim to raise minimum-security standards for connected products. These reforms sit within the Product Security and Telecommunications Infrastructure regime. See: LNB News 29/04/2024 16. Data Protection and Digital Information Bill lost in outgoing Parliament wash-up period and expansive Data ( Use and Access) Bill introduced to newly-elected Parliament The Data Protection and Digital Information Bill fell during the wash-up ahead of Parliament’s prorogation on Friday, 24 May 2024 and its dissolution on 30 May 2024 for the UK general election held on 4 July 2024, as uncompleted business lapses at...

In this issue: Data Protection e Privacy Reputation management Cybersecurity State security and intelligence Key developments of 2024 and what to look for in 2025 Daily and weekly news alerts New and updated content Data Protection Open AI, X, Google and Meta may rely on legitimate interests for AI models, says EDPB MLex reports that Open AI, X, Google and Meta can ground the processing of personal data for building and deploying AI models on legitimate interests, provided suitable mitigation measures are applied, according to a significant European Data Protection Board opinion issued on 19 December 2024. The EDPB also addressed how to handle unlawful data processing in AI model development, and when AI models can be deemed anonymised. See News Analysis: Open AI, X, Google can use legitimate interest for AI models, EDPB says... EU...

Prismall v Google UK Ltd and another company [2024] EWCA Civ 1516 What are the practical implications of this case? This Court of Appeal ruling does not meaningfully develop the jurisprudence, yet it underlines the formidable obstacles to pursuing a representative claim for misuse of private information. Following the Supreme Court’s decision in Lloyd v Google LLC [2021] UKSC 50, which effectively closed the door on representative actions for data protection breaches, claimants turned instead to misuse of private information as the preferred route. The court recognised, however, that such claims are generally inherently ill‑suited to representative procedures because, in practice, individual circumstances determine whether a given claimant enjoys a reasonable expectation of privacy; that assessment, in turn, dictates whether the entire cohort can be said to share the ‘same interest’, as strictly required by CPR 19.8. Where a class may comprise hundreds or even...

The Investigatory Powers Tribunal concluded that MI5 did not exceed its legal powers when it issued an 'interference alert' that accused Christine Lee of running political interference on behalf of the United Front Work Department, part of the Central Committee of the Chinese Communist Party An alert released in January 2022 and shared within parliament stated that the 61-year-old had assisted the UFWD in forging connections with both seasoned and would-be Parliamentarians from all parties. It further claimed she had arranged donations to political organisations for overseas nationals. A panel chaired by Court of Appeal judge Rabinder Singh rejected the case advanced by Lee and her son, Daniel Wilkes, 30, a former aide to Labour MP Barry Gardiner, issuing a ruling delivered in part behind closed doors. Justice Singh, who also presides over the tribunal, said MI5’s ‘national security evaluation’ regarding Lee ‘had a...

In this issue: Data protection Daily and weekly news alerts New and updated content Information Law Highlights 2024/2025 Data protection ICO publishes report on data protection in generative AI, calls for transparency The Information Commissioner’s Office ( ICO) has issued a report on data protection in generative artificial intelligence ( AI), following a consultation that opened in January 2024 which drew over 200 responses. The ICO has clarified its stance on the lawful basis for web-scraped data and embedding individuals’ rights within AI models. See: LNB News 13/12/2024 51. EDPB issues opinion on AI models’ compliance with EU GDPR principles The European Data Protection Board ( EDPB) has approved an opinion regarding the use of personal data in AI model development and deployment......